| 1 | /* $NetBSD: qmgr.c,v 1.2 2017/02/14 01:16:46 christos Exp $ */ |
| 2 | |
| 3 | /*++ |
| 4 | /* NAME |
| 5 | /* qmgr 8 |
| 6 | /* SUMMARY |
| 7 | /* old Postfix queue manager |
| 8 | /* SYNOPSIS |
| 9 | /* \fBqmgr\fR [generic Postfix daemon options] |
| 10 | /* DESCRIPTION |
| 11 | /* The \fBqmgr\fR(8) daemon awaits the arrival of incoming mail |
| 12 | /* and arranges for its delivery via Postfix delivery processes. |
| 13 | /* The actual mail routing strategy is delegated to the |
| 14 | /* \fBtrivial-rewrite\fR(8) daemon. |
| 15 | /* This program expects to be run from the \fBmaster\fR(8) process |
| 16 | /* manager. |
| 17 | /* |
| 18 | /* Mail addressed to the local \fBdouble-bounce\fR address is |
| 19 | /* logged and discarded. This stops potential loops caused by |
| 20 | /* undeliverable bounce notifications. |
| 21 | /* MAIL QUEUES |
| 22 | /* .ad |
| 23 | /* .fi |
| 24 | /* The \fBqmgr\fR(8) daemon maintains the following queues: |
| 25 | /* .IP \fBincoming\fR |
| 26 | /* Inbound mail from the network, or mail picked up by the |
| 27 | /* local \fBpickup\fR(8) agent from the \fBmaildrop\fR directory. |
| 28 | /* .IP \fBactive\fR |
| 29 | /* Messages that the queue manager has opened for delivery. Only |
| 30 | /* a limited number of messages is allowed to enter the \fBactive\fR |
| 31 | /* queue (leaky bucket strategy, for a fixed delivery rate). |
| 32 | /* .IP \fBdeferred\fR |
| 33 | /* Mail that could not be delivered upon the first attempt. The queue |
| 34 | /* manager implements exponential backoff by doubling the time between |
| 35 | /* delivery attempts. |
| 36 | /* .IP \fBcorrupt\fR |
| 37 | /* Unreadable or damaged queue files are moved here for inspection. |
| 38 | /* .IP \fBhold\fR |
| 39 | /* Messages that are kept "on hold" are kept here until someone |
| 40 | /* sets them free. |
| 41 | /* DELIVERY STATUS REPORTS |
| 42 | /* .ad |
| 43 | /* .fi |
| 44 | /* The \fBqmgr\fR(8) daemon keeps an eye on per-message delivery status |
| 45 | /* reports in the following directories. Each status report file has |
| 46 | /* the same name as the corresponding message file: |
| 47 | /* .IP \fBbounce\fR |
| 48 | /* Per-recipient status information about why mail is bounced. |
| 49 | /* These files are maintained by the \fBbounce\fR(8) daemon. |
| 50 | /* .IP \fBdefer\fR |
| 51 | /* Per-recipient status information about why mail is delayed. |
| 52 | /* These files are maintained by the \fBdefer\fR(8) daemon. |
| 53 | /* .IP \fBtrace\fR |
| 54 | /* Per-recipient status information as requested with the |
| 55 | /* Postfix "\fBsendmail -v\fR" or "\fBsendmail -bv\fR" command. |
| 56 | /* These files are maintained by the \fBtrace\fR(8) daemon. |
| 57 | /* .PP |
| 58 | /* The \fBqmgr\fR(8) daemon is responsible for asking the |
| 59 | /* \fBbounce\fR(8), \fBdefer\fR(8) or \fBtrace\fR(8) daemons to |
| 60 | /* send delivery reports. |
| 61 | /* STRATEGIES |
| 62 | /* .ad |
| 63 | /* .fi |
| 64 | /* The queue manager implements a variety of strategies for |
| 65 | /* either opening queue files (input) or for message delivery (output). |
| 66 | /* .IP "\fBleaky bucket\fR" |
| 67 | /* This strategy limits the number of messages in the \fBactive\fR queue |
| 68 | /* and prevents the queue manager from running out of memory under |
| 69 | /* heavy load. |
| 70 | /* .IP \fBfairness\fR |
| 71 | /* When the \fBactive\fR queue has room, the queue manager takes one |
| 72 | /* message from the \fBincoming\fR queue and one from the \fBdeferred\fR |
| 73 | /* queue. This prevents a large mail backlog from blocking the delivery |
| 74 | /* of new mail. |
| 75 | /* .IP "\fBslow start\fR" |
| 76 | /* This strategy eliminates "thundering herd" problems by slowly |
| 77 | /* adjusting the number of parallel deliveries to the same destination. |
| 78 | /* .IP "\fBround robin\fR" |
| 79 | /* The queue manager sorts delivery requests by destination. |
| 80 | /* Round-robin selection prevents one destination from dominating |
| 81 | /* deliveries to other destinations. |
| 82 | /* .IP "\fBexponential backoff\fR" |
| 83 | /* Mail that cannot be delivered upon the first attempt is deferred. |
| 84 | /* The time interval between delivery attempts is doubled after each |
| 85 | /* attempt. |
| 86 | /* .IP "\fBdestination status cache\fR" |
| 87 | /* The queue manager avoids unnecessary delivery attempts by |
| 88 | /* maintaining a short-term, in-memory list of unreachable destinations. |
| 89 | /* TRIGGERS |
| 90 | /* .ad |
| 91 | /* .fi |
| 92 | /* On an idle system, the queue manager waits for the arrival of |
| 93 | /* trigger events, or it waits for a timer to go off. A trigger |
| 94 | /* is a one-byte message. |
| 95 | /* Depending on the message received, the queue manager performs |
| 96 | /* one of the following actions (the message is followed by the |
| 97 | /* symbolic constant used internally by the software): |
| 98 | /* .IP "\fBD (QMGR_REQ_SCAN_DEFERRED)\fR" |
| 99 | /* Start a deferred queue scan. If a deferred queue scan is already |
| 100 | /* in progress, that scan will be restarted as soon as it finishes. |
| 101 | /* .IP "\fBI (QMGR_REQ_SCAN_INCOMING)\fR" |
| 102 | /* Start an incoming queue scan. If an incoming queue scan is already |
| 103 | /* in progress, that scan will be restarted as soon as it finishes. |
| 104 | /* .IP "\fBA (QMGR_REQ_SCAN_ALL)\fR" |
| 105 | /* Ignore deferred queue file time stamps. The request affects |
| 106 | /* the next deferred queue scan. |
| 107 | /* .IP "\fBF (QMGR_REQ_FLUSH_DEAD)\fR" |
| 108 | /* Purge all information about dead transports and destinations. |
| 109 | /* .IP "\fBW (TRIGGER_REQ_WAKEUP)\fR" |
| 110 | /* Wakeup call, This is used by the master server to instantiate |
| 111 | /* servers that should not go away forever. The action is to start |
| 112 | /* an incoming queue scan. |
| 113 | /* .PP |
| 114 | /* The \fBqmgr\fR(8) daemon reads an entire buffer worth of triggers. |
| 115 | /* Multiple identical trigger requests are collapsed into one, and |
| 116 | /* trigger requests are sorted so that \fBA\fR and \fBF\fR precede |
| 117 | /* \fBD\fR and \fBI\fR. Thus, in order to force a deferred queue run, |
| 118 | /* one would request \fBA F D\fR; in order to notify the queue manager |
| 119 | /* of the arrival of new mail one would request \fBI\fR. |
| 120 | /* STANDARDS |
| 121 | /* RFC 3463 (Enhanced status codes) |
| 122 | /* RFC 3464 (Delivery status notifications) |
| 123 | /* SECURITY |
| 124 | /* .ad |
| 125 | /* .fi |
| 126 | /* The \fBqmgr\fR(8) daemon is not security sensitive. It reads |
| 127 | /* single-character messages from untrusted local users, and thus may |
| 128 | /* be susceptible to denial of service attacks. The \fBqmgr\fR(8) daemon |
| 129 | /* does not talk to the outside world, and it can be run at fixed low |
| 130 | /* privilege in a chrooted environment. |
| 131 | /* DIAGNOSTICS |
| 132 | /* Problems and transactions are logged to the \fBsyslog\fR(8) daemon. |
| 133 | /* Corrupted message files are saved to the \fBcorrupt\fR queue |
| 134 | /* for further inspection. |
| 135 | /* |
| 136 | /* Depending on the setting of the \fBnotify_classes\fR parameter, |
| 137 | /* the postmaster is notified of bounces and of other trouble. |
| 138 | /* BUGS |
| 139 | /* A single queue manager process has to compete for disk access with |
| 140 | /* multiple front-end processes such as \fBcleanup\fR(8). A sudden burst of |
| 141 | /* inbound mail can negatively impact outbound delivery rates. |
| 142 | /* CONFIGURATION PARAMETERS |
| 143 | /* .ad |
| 144 | /* .fi |
| 145 | /* Changes to \fBmain.cf\fR are not picked up automatically, |
| 146 | /* as \fBqmgr\fR(8) |
| 147 | /* is a persistent process. Use the command "\fBpostfix reload\fR" after |
| 148 | /* a configuration change. |
| 149 | /* |
| 150 | /* The text below provides only a parameter summary. See |
| 151 | /* \fBpostconf\fR(5) for more details including examples. |
| 152 | /* |
| 153 | /* In the text below, \fItransport\fR is the first field in a |
| 154 | /* \fBmaster.cf\fR entry. |
| 155 | /* COMPATIBILITY CONTROLS |
| 156 | /* .ad |
| 157 | /* .fi |
| 158 | /* Available before Postfix version 2.5: |
| 159 | /* .IP "\fBallow_min_user (no)\fR" |
| 160 | /* Allow a sender or recipient address to have `-' as the first |
| 161 | /* character. |
| 162 | /* .PP |
| 163 | /* Available with Postfix version 2.7 and later: |
| 164 | /* .IP "\fBdefault_filter_nexthop (empty)\fR" |
| 165 | /* When a content_filter or FILTER request specifies no explicit |
| 166 | /* next-hop destination, use $default_filter_nexthop instead; when |
| 167 | /* that value is empty, use the domain in the recipient address. |
| 168 | /* ACTIVE QUEUE CONTROLS |
| 169 | /* .ad |
| 170 | /* .fi |
| 171 | /* .IP "\fBqmgr_clog_warn_time (300s)\fR" |
| 172 | /* The minimal delay between warnings that a specific destination is |
| 173 | /* clogging up the Postfix active queue. |
| 174 | /* .IP "\fBqmgr_message_active_limit (20000)\fR" |
| 175 | /* The maximal number of messages in the active queue. |
| 176 | /* .IP "\fBqmgr_message_recipient_limit (20000)\fR" |
| 177 | /* The maximal number of recipients held in memory by the Postfix |
| 178 | /* queue manager, and the maximal size of the short-term, |
| 179 | /* in-memory "dead" destination status cache. |
| 180 | /* DELIVERY CONCURRENCY CONTROLS |
| 181 | /* .ad |
| 182 | /* .fi |
| 183 | /* .IP "\fBqmgr_fudge_factor (100)\fR" |
| 184 | /* Obsolete feature: the percentage of delivery resources that a busy |
| 185 | /* mail system will use up for delivery of a large mailing list |
| 186 | /* message. |
| 187 | /* .IP "\fBinitial_destination_concurrency (5)\fR" |
| 188 | /* The initial per-destination concurrency level for parallel delivery |
| 189 | /* to the same destination. |
| 190 | /* .IP "\fBdefault_destination_concurrency_limit (20)\fR" |
| 191 | /* The default maximal number of parallel deliveries to the same |
| 192 | /* destination. |
| 193 | /* .IP "\fItransport\fB_destination_concurrency_limit ($default_destination_concurrency_limit)\fR" |
| 194 | /* Idem, for delivery via the named message \fItransport\fR. |
| 195 | /* .PP |
| 196 | /* Available in Postfix version 2.5 and later: |
| 197 | /* .IP "\fItransport\fB_initial_destination_concurrency ($initial_destination_concurrency)\fR" |
| 198 | /* Initial concurrency for delivery via the named message |
| 199 | /* \fItransport\fR. |
| 200 | /* .IP "\fBdefault_destination_concurrency_failed_cohort_limit (1)\fR" |
| 201 | /* How many pseudo-cohorts must suffer connection or handshake |
| 202 | /* failure before a specific destination is considered unavailable |
| 203 | /* (and further delivery is suspended). |
| 204 | /* .IP "\fItransport\fB_destination_concurrency_failed_cohort_limit ($default_destination_concurrency_failed_cohort_limit)\fR" |
| 205 | /* Idem, for delivery via the named message \fItransport\fR. |
| 206 | /* .IP "\fBdefault_destination_concurrency_negative_feedback (1)\fR" |
| 207 | /* The per-destination amount of delivery concurrency negative |
| 208 | /* feedback, after a delivery completes with a connection or handshake |
| 209 | /* failure. |
| 210 | /* .IP "\fItransport\fB_destination_concurrency_negative_feedback ($default_destination_concurrency_negative_feedback)\fR" |
| 211 | /* Idem, for delivery via the named message \fItransport\fR. |
| 212 | /* .IP "\fBdefault_destination_concurrency_positive_feedback (1)\fR" |
| 213 | /* The per-destination amount of delivery concurrency positive |
| 214 | /* feedback, after a delivery completes without connection or handshake |
| 215 | /* failure. |
| 216 | /* .IP "\fItransport\fB_destination_concurrency_positive_feedback ($default_destination_concurrency_positive_feedback)\fR" |
| 217 | /* Idem, for delivery via the named message \fItransport\fR. |
| 218 | /* .IP "\fBdestination_concurrency_feedback_debug (no)\fR" |
| 219 | /* Make the queue manager's feedback algorithm verbose for performance |
| 220 | /* analysis purposes. |
| 221 | /* RECIPIENT SCHEDULING CONTROLS |
| 222 | /* .ad |
| 223 | /* .fi |
| 224 | /* .IP "\fBdefault_destination_recipient_limit (50)\fR" |
| 225 | /* The default maximal number of recipients per message delivery. |
| 226 | /* .IP \fItransport\fB_destination_recipient_limit\fR |
| 227 | /* Idem, for delivery via the named message \fItransport\fR. |
| 228 | /* OTHER RESOURCE AND RATE CONTROLS |
| 229 | /* .ad |
| 230 | /* .fi |
| 231 | /* .IP "\fBminimal_backoff_time (300s)\fR" |
| 232 | /* The minimal time between attempts to deliver a deferred message; |
| 233 | /* prior to Postfix 2.4 the default value was 1000s. |
| 234 | /* .IP "\fBmaximal_backoff_time (4000s)\fR" |
| 235 | /* The maximal time between attempts to deliver a deferred message. |
| 236 | /* .IP "\fBmaximal_queue_lifetime (5d)\fR" |
| 237 | /* Consider a message as undeliverable, when delivery fails with a |
| 238 | /* temporary error, and the time in the queue has reached the |
| 239 | /* maximal_queue_lifetime limit. |
| 240 | /* .IP "\fBqueue_run_delay (300s)\fR" |
| 241 | /* The time between deferred queue scans by the queue manager; |
| 242 | /* prior to Postfix 2.4 the default value was 1000s. |
| 243 | /* .IP "\fBtransport_retry_time (60s)\fR" |
| 244 | /* The time between attempts by the Postfix queue manager to contact |
| 245 | /* a malfunctioning message delivery transport. |
| 246 | /* .PP |
| 247 | /* Available in Postfix version 2.1 and later: |
| 248 | /* .IP "\fBbounce_queue_lifetime (5d)\fR" |
| 249 | /* Consider a bounce message as undeliverable, when delivery fails |
| 250 | /* with a temporary error, and the time in the queue has reached the |
| 251 | /* bounce_queue_lifetime limit. |
| 252 | /* .PP |
| 253 | /* Available in Postfix version 2.5 and later: |
| 254 | |
|---|